Skillv1.2.0

ClawScan security

Workspace · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 11, 2026, 3:29 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The package's code and runtime instructions broadly match an 'auto-evolve' project-inspection tool, but there are multiple mismatches and undeclared privileges (Git/GitHub interactions, local memory/db access, scheduling/auto-commit) that are disproportionate to the registry metadata and the declared requirements.
Guidance: This package implements a powerful auto‑inspection + auto‑execution system that will read local OpenClaw/HawkBridge memory, run git/gh/pytest, commit & push changes, create releases, close issues, and can be scheduled to run automatically. Before installing, verify: (1) you trust the author (metadata is inconsistent), (2) there are no secrets or sensitive conversation data in ~/.openclaw or hawk-bridge you don't want read, (3) the 'gh' CLI and git credentials currently on the host grant only minimal scope (or run in a sandbox/test account), (4) run the code in a disposable/non-production repository first with mode set to semi-auto/dry-run, and (5) inspect and audit the bundled Python scripts (they are included) for any behavior you don't expect. If you are uncomfortable with automatic commits or issue-closing, do not enable full-auto or scheduling and consider rejecting this skill until metadata and required permissions are clarified.
Findings: [subprocess-run] expected: Multiple files (scripts/analyzers.py, auto-evolve.py etc.) call subprocess.run to execute git, gh, pytest and other commands. Running external commands is expected for a scanner/executor, but it also means the skill will use whatever credentials/config are present on the host. [sqlite-access] expected: The code reads OpenClaw SQLite memory files to obtain persona context. This is coherent with 'persona-aware' scans, but it means the skill will access potentially sensitive conversation history stored in ~/.openclaw/workspace. [lancedb-import] expected: HawkBridge LanceDB integration (lancedb) is present. This explains accesses to vector memory but requires additional local files/libraries, and could expose stored embeddings/contexts. [auto-close-github-issues] expected: Changelog and code describe an IssueLinker that will comment on and close GitHub issues after commits. This is a functional feature, but it requires GitHub permissions and can alter upstream issue states automatically. [missing-declared-env] unexpected: Despite operations that require credentials (GitHub/gh, possibly LLM API keys) the registry declares no required env vars or primary credentials. This is a material metadata mismatch.

Review Dimensions

Purpose & Capability: concernThe SKILL.md and code implement an Auto‑Evolve project-inspection/execution system (scanning repos, making/committing changes, creating releases, auto-closing GitHub issues, scheduling cron jobs, reading persona memories). That aligns with the description 'automates project inspection'. However registry metadata/inventory claims 'No required env vars' and 'instruction-only' while the package contains many Python scripts that call git/gh, access local OpenClaw SQLite and LanceDB, run pytest, and may call LLMs. The slug/owner metadata referencing 'hawk-bridge' is inconsistent with the skill name 'Workspace' and the code (auto-evolve), suggesting packaging/metadata mismatch.
Instruction Scope: concernSKILL.md and CLI examples instruct the tool to scan arbitrary repos, read persona memory (OpenClaw SQLite), read HawkBridge LanceDB, run tests, create/merge PRs, commit & push changes, create GitHub releases, and schedule recurring scans via 'openclaw cron'. These instructions require reading local files, credentials and mutating remote repos. The instructions also reference running commands that could transmit data (e.g., calling 'gh', pushing commits) and close GitHub issues automatically — all beyond a passive scanner.
Install Mechanism: noteNo install spec is declared in the registry, but full Python source files are bundled in the package. There are no external downloads in the provided manifest (lower risk), but the code expects external CLIs/libraries (gh CLI, pytest, lancedb) and will call subprocesses. The mismatch (declared instruction-only vs included code) is an engineering inconsistency that deserves attention.
Credentials: concernThe registry declares no required env vars or credentials, yet the code reads environment variables (OPENCLAW_AGENT_ID), accesses local OpenClaw workspace files and SQLite DBs, attempts to use HawkBridge LanceDB, and invokes 'gh' and 'git' via subprocess. Those tools rely on credentials or local state (GitHub token, SSH keys, stored tokens in gh). The code also refers to LLM configuration and cost tracking—all of which imply access to API keys/config not declared in metadata. Declaring no credentials is disproportionate to the actual access and operations.
Persistence & Privilege: concernalways:false (good), but the tool is designed to modify repositories (auto-commit, push, create releases), close GitHub issues, create cron jobs via openclaw, and can be set to full-auto. Autonomous invocation is allowed by default; combined with the code's ability to modify remote repos, auto-close issues, and alter scheduling, this gives the skill broad potential impact. It also reads other skills' workspace/memory (OpenClaw/HawkBridge), crossing boundaries into other agents' data.